LastPass Sentry Now Checks Your Entire Vault!

We recently introduced LastPass Sentry, a new feature to help LastPass users be more proactive about their online security by alerting them when their email address is included in the latest breaches of online sites and services (think LinkedIn).

We’re excited to announce that LastPass Sentry is now also supported as part of the LastPass Security Challenge! The update means that a full check can be performed locally against your entire LastPass vault to look for accounts that may have been affected by a breach, in addition to the ongoing monitoring of your LastPass account email address.

How LastPass Sentry now works:

Sentry still performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.

If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk.

Users can also run the LastPass Security Challenge (from the LastPass Icon’s Tools menu) and select the option to look for breaches of their stored accounts.

If any matches are found between the PwnedList database and the data in your vault, notifications are sent to the affected email addresses with information on the breach and a reminder to update your passwords.

We then recommend updating the password for any affected accounts, and any other accounts using that password (which the Security Challenge will help you identify), using LastPass to generate a new, strong password.

As we mentioned previously, the feature is available for all free and Premium users, as well as corporate Enterprise users. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We plan to continue increasing the frequency of our database checks to work towards real-time notifications and further enhance the service to provide ongoing value to our users.

What do you think of the update to LastPass Sentry? Leave your thoughts in the comments below!

Tags:

40 Comments

Most sites you don’t need a highly secure password. I use one that is easily remembered containing numbers, letters and symbols. For bank sites, email and other more important sites I use highly variable passwords that are long. Last pass helps with all of these, but I back them up on my desktop and laptop with another app – password safe – just in case of a catastrophic loss…

I have been using LastPass for almost four to five years now with NO problem at all. While it is normal to worry sometimes but most of the time I feel safe with them. Btw, I keep a 24-character/key master password!

It’s not about not “trusting” LastPass, just that any software or website is subject to issues and to put all your eggs in just one basket in general is not a good idea — for anything. The idea of having no clue what any of my passwords are except my master password and my only access to all my account is via LastPass since only it knows them all is scary should there be any incident or failure. You’d be crippled in that case.

So if you shouldn’t use your master password on a public or guest computer, then how do you know how many “one-time” password create. If you’re going away on a trip you’ll need more than one time obviously. Something about having no clue about what any of my passwords are is just scary to me.

Two main concerns I have with changing all passwords that are duplicates or weak:

1) I have dozens (even hundreds) of sites using the same password. Do you expect us to go through each site individually and through all the log-in processes and subsequent menus to get to the “change password” screen for each site?? That would take all day (or all week if you did not work around the clock nonstop) and who has the time or patience for that?!

2) Secondly, since there are hundreds of sites you say should all have different passwords, I’m assuming you mean to have them computer-generated automatically by Last Pass right? No one is going to personally sit and try to think of hundreds of different secure yet memorable passwords. However, if auto-generated they won’t be memorable and then one is relying on Last Pass to never fail and to always have it available even when on a public or guest computer. How can you put all your trust in Last Pass in those cases and risk being shut out of all your accounts??

If there is a simple solution to all this that I may be overlooking please let me know, thanks.

1) You’ll have to go through each site individually to change passwords. LastPass isn’t in control of all the sites you use, and doesn’t know how to change the password on each one (as every site would probably have a different “change password” page). I guess the solution is to be secure from the beginning, and never share passwords on any site. If the sites you’re sharing your passwords on aren’t very security-critical then it’s probably okay for them to share passwords, as long as you keep the risks in mind (if one site gets compromised and hackers obtain your password from it, they could potentially log in to every other site that shares that same password).

2) The whole point of LastPass is to generate complex passwords for every site you use, and use your LastPass master password to retrieve the passwords when you need them (so you don’t have to memorise them all). If you don’t want to put your trust in LastPass, why are you using it? On a public or guest computer, you can log in at the website (https://lastpass.com/) and get your passwords that way. You could generate some One Time Passwords to use on public computers – These are passwords that only let you log in to your LastPass account once. I’d suggest doing this as using your master password on a public computer isn’t a very good idea security-wise.

It would delight you perhaps to know that our passwords can be accessed anytime using any browser even if we’re offline! With this, whatever happens to the physical servers of LastPass, our passwords are all within our reach.

Feature request:Let me select a list of passwords to update. Save the list. For each pwd1. Take me to the site2. Log me in3. Select acnt/settings/password4. Change the pasword to a generated one and update the list of pwds

I second this auto password update. Also, I should be able to choose sites or a group of sites to just update the password in Lastpass (no need to go to site) all with the same passwordThis would be good for me what I change my active directory password and want to change all sites associated with that account.

How about a feature to warn when you go to a site and have a weak password? I have a bunch of sites with the same pw, I don’t want to sit down and crawl through a hundred blogs etc, but I would do it one at a time, when I go to the site in question, if the system prompted me (and I need to be able to tell Lastpass to ignore some sites, of course).

The email should only be sent if a match is found – if no email is sent, no match was found. If you do think a match was found with no follow-up email, please send a report directly to the team at https://lastpass.com/supportticket.php

Liking this addition, however if possible I’d like to be able to tell the Sentry check to send all details for the email addresses to a single account (the account master email address) rather than have it send individual mails. Is that possible?

1) It’s probably not necessary to check the address I use as my LastPass user name since that’s already being checked.

2) It’d be nice if the addresses to be checked were in a checklist so that some could be deselected. Alternatively, it would be nice if the report could be sent to my LastPass account’s email address. As one example, I’m thinking of my comcast account that I never check and I’m not even sure how to check it. Another case is accounts that belong to family members — they’re not expecting the message and I either can’t or don’t want to peak at their mail. In that case, I’d rather get the notice and follow-up with them to make sure it gets addressed.

I second this comment. The emails should go to the lastpass account’s email address. I have email accounts that I use for username but I cannot check those email accounts. For example, some accounts related to my kid have her email address but if lastpass sent an alert email to her, she won’t (care to) do anything.

Love the features but I’m not clear on how Sentry actually works (aside from being integrated into the Security Challenge). Is this all done automatically and we’re notified if our information has been compromised? Because I don’t see any options to use it anywhere. I’m a Lastpass premium user.

The checks for your LastPass account email address happen automatically, we do a secure check of the entire database pulling the latest updates from PwnedList.

In the case of the vault check, though, you have to run the security challenge from the LastPass Icon > Tools menu > Security Check/Challenge, which will ask if you want to check for any breaches of your sites. You’ll have to go through those steps every time you want to run the check locally against your entire vault.

That does clarify, thank you Amber. Features are even better when I don’t actually have to use them to take advantage of them! But I did run the Security Challenge and was notified of an old breach so I saw it in action.

I have the same issue (lots of email addresses) and would like to check some but not the others. This might occur if an address that I used as an official of an organization was now passed on to someone else (example: treasurer, president, etc.) Although the email address may still be in my database, I no longer use it and the current user might not welcome getting an unsolicited email from LastPass. So the ability to selectively check some of the addresses would be nice.

Search

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.

Subscribe

Archives

Translation

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.